| Message ID | 20240828195755.19385-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy,tests: add tests for netlink xperms | expand |
On Thu, Aug 29, 2024 at 6:00 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > Add tests for netlink xperms. Test program is based on an earlier test > program for netlink_send checking by Paul Moore. Exercising these > tests depends on the corresponding kernel patch, userspace patches, > and updating the base policy to define the new nlmsg permissions > and to enable the new netlink_xperm policy capability. > > For testing purposes, you can update the base policy by manually > modifying your base module and tweaking /usr/share/selinux/devel > (latter only required due to writing the test policy as a .te file > rather than as .cil in order to use the test macros) as follows: > sudo semodule -c -E base > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > sudo semodule -i base.cil > echo "(policycap netlink_xperm)" > netlink_xperm.cil > sudo semodule -i netlink_xperm.cil > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > /usr/share/selinux/devel/include/support/all_perms.spt > > When finished testing, you can semodule -r base netlink_xperm to > undo the two module changes and restore your all_perms.spt file > from the saved .orig file. > > NB The above may lead to unexpected denials of the new nlmsg permission > for existing domains on your system and prevent new ssh sessions from > being created. Recommend only inserting the netlink_xperm.cil module > just prior to running the testsuite and removing immediately thereafter. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Thank you Stephen. I was able to reproduce on Fedora rawhide, following your instructions. Tested-by: Thiébaud Weksteen <tweek@google.com>
On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > Add tests for netlink xperms. Test program is based on an earlier test > program for netlink_send checking by Paul Moore. Exercising these > tests depends on the corresponding kernel patch, userspace patches, > and updating the base policy to define the new nlmsg permissions > and to enable the new netlink_xperm policy capability. > > For testing purposes, you can update the base policy by manually > modifying your base module and tweaking /usr/share/selinux/devel > (latter only required due to writing the test policy as a .te file > rather than as .cil in order to use the test macros) as follows: > sudo semodule -c -E base > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > sudo semodule -i base.cil > echo "(policycap netlink_xperm)" > netlink_xperm.cil > sudo semodule -i netlink_xperm.cil > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > /usr/share/selinux/devel/include/support/all_perms.spt > > When finished testing, you can semodule -r base netlink_xperm to > undo the two module changes and restore your all_perms.spt file > from the saved .orig file. > > NB The above may lead to unexpected denials of the new nlmsg permission > for existing domains on your system and prevent new ssh sessions from > being created. Recommend only inserting the netlink_xperm.cil module > just prior to running the testsuite and removing immediately thereafter. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> Now that the kernel and userspace patches have been accepted, can we get this testsuite patch merged please? The test will only be enabled when the underlying policy defines the new nlmsg permission and enables the new netlink_xperm policy capability, so it won't break anything in the interim. We will need to separately submit a patch for refpolicy and/or Fedora policy to add these. > --- > policy/Makefile | 5 +++++ > policy/test_nlmsg.te | 34 ++++++++++++++++++++++++++++ > tests/Makefile | 5 +++++ > tests/nlmsg/.gitignore | 1 + > tests/nlmsg/Makefile | 5 +++++ > tests/nlmsg/nlmsg.c | 50 ++++++++++++++++++++++++++++++++++++++++++ > tests/nlmsg/test | 28 +++++++++++++++++++++++ > 7 files changed, 128 insertions(+) > create mode 100644 policy/test_nlmsg.te > create mode 100644 tests/nlmsg/.gitignore > create mode 100644 tests/nlmsg/Makefile > create mode 100644 tests/nlmsg/nlmsg.c > create mode 100755 tests/nlmsg/test > > diff --git a/policy/Makefile b/policy/Makefile > index f18e15d..32d7ede 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -158,6 +158,11 @@ TARGETS += test_userfaultfd.te > endif > endif > > +# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability > +ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true) > +TARGETS += test_nlmsg.te > +endif > + > ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) > TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) > endif > diff --git a/policy/test_nlmsg.te b/policy/test_nlmsg.te > new file mode 100644 > index 0000000..9e1e2a4 > --- /dev/null > +++ b/policy/test_nlmsg.te > @@ -0,0 +1,34 @@ > +######################################## > +# > +# Policy for testing the nlmsg extended permissions. > + > +define(`RTM_GETLINK', `18') > +define(`RTM_SETLINK', `19') > +define(`RTM_GETADDR', `22') > + > +attribute nlmsgtestdomain; > + > +# Domain that is allowed the nlmsg extended permissions. > +type test_nlmsg_xperm_t; > +typeattribute test_nlmsg_xperm_t nlmsgtestdomain; > +testsuite_domain_type(test_nlmsg_xperm_t) > +allow test_nlmsg_xperm_t self:netlink_route_socket create_socket_perms; > +# Also allow the legacy nlmsg_read/write permissions to ensure no false positives. > +allow test_nlmsg_xperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write }; > +allowxperm test_nlmsg_xperm_t self:netlink_route_socket nlmsg { RTM_GETLINK RTM_SETLINK RTM_GETADDR }; > + > +# Domain that is not allowed the nlmsg extended permissions. > +type test_nlmsg_noxperm_t; > +typeattribute test_nlmsg_noxperm_t nlmsgtestdomain; > +testsuite_domain_type(test_nlmsg_noxperm_t) > +allow test_nlmsg_noxperm_t self:netlink_route_socket create_socket_perms; > +# Also allow the legacy nlmsg_read/write permissions to ensure no false positives. > +allow test_nlmsg_noxperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write }; > +allowxperm test_nlmsg_noxperm_t self:netlink_route_socket nlmsg ~{ RTM_GETLINK RTM_SETLINK RTM_GETADDR }; > + > +# > +# Common rules for all nlmsg test domains. > +# > + > +# Trigger kernel module auto-loading of the protocol implementations. > +kernel_request_load_module(nlmsgtestdomain) > diff --git a/tests/Makefile b/tests/Makefile > index db4cb38..35bb358 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -153,6 +153,11 @@ ifneq ($(shell ./kvercmp $$(uname -r) 6.5),-1) > SUBDIRS += inet_socket/mptcp > endif > > +# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability > +ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true) > +SUBDIRS += nlmsg > +endif > + > ifeq ($(DISTRO),RHEL4) > SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) > endif > diff --git a/tests/nlmsg/.gitignore b/tests/nlmsg/.gitignore > new file mode 100644 > index 0000000..d4bea66 > --- /dev/null > +++ b/tests/nlmsg/.gitignore > @@ -0,0 +1 @@ > +nlmsg > diff --git a/tests/nlmsg/Makefile b/tests/nlmsg/Makefile > new file mode 100644 > index 0000000..1edab98 > --- /dev/null > +++ b/tests/nlmsg/Makefile > @@ -0,0 +1,5 @@ > +TARGETS=nlmsg > + > +all: $(TARGETS) > +clean: > + rm -f $(TARGETS) > diff --git a/tests/nlmsg/nlmsg.c b/tests/nlmsg/nlmsg.c > new file mode 100644 > index 0000000..a976b95 > --- /dev/null > +++ b/tests/nlmsg/nlmsg.c > @@ -0,0 +1,50 @@ > +#include <stdlib.h> > +#include <stdio.h> > +#include <string.h> > +#include <errno.h> > +#include <asm/types.h> > +#include <sys/socket.h> > +#include <linux/netlink.h> > +#include <linux/rtnetlink.h> > + > +int main(int argc, char *argv[]) > +{ > + int i, rc; > + int fd; > + unsigned char data[512]; > + struct nlmsghdr *nh[3]; > + struct sockaddr_nl sa; > + struct iovec iov; > + struct msghdr msg; > + > + memset(&sa, 0, sizeof(sa)); > + sa.nl_family = AF_NETLINK; > + > + memset(data, 0, sizeof(data)); > + iov.iov_base = data; > + iov.iov_len = 3 * NLMSG_SPACE(0); > + > + for (i = 0; i < 3; i++) { > + nh[i] = (struct nlmsghdr *)(data + (i * NLMSG_SPACE(0))); > + nh[i]->nlmsg_len = NLMSG_HDRLEN; > + } > + nh[0]->nlmsg_type = RTM_GETLINK; // nlmsg_read > + nh[1]->nlmsg_type = RTM_SETLINK; // nlmsg_write > + nh[2]->nlmsg_type = RTM_GETADDR; // nlmsg_read > + > + memset(&msg, 0, sizeof(msg)); > + msg.msg_name = &sa; > + msg.msg_namelen = sizeof(sa); > + msg.msg_iov = &iov; > + msg.msg_iovlen = 1; > + > + fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); > + rc = sendmsg(fd, &msg, 0); > + > + if (rc < 0) { > + perror("sendmsg"); > + exit(-1); > + } > + exit(0); > +} > + > diff --git a/tests/nlmsg/test b/tests/nlmsg/test > new file mode 100755 > index 0000000..18bb794 > --- /dev/null > +++ b/tests/nlmsg/test > @@ -0,0 +1,28 @@ > +#!/usr/bin/perl > +# > +# This test exercises the netlink extended perms support > +# > + > +use Test; > + > +BEGIN { > + $test_count = 2; > + plan tests => $test_count; > +} > + > +$basedir = $0; > +$basedir =~ s|(.*)/[^/]*|$1|; > + > +# > +# Attempt to send the netlink messages from the allowed domain. > +# > +$result = system "runcon -t test_nlmsg_xperm_t -- $basedir/nlmsg 2>&1"; > +ok( $result, 0 ); > + > +# > +# Attempt to send the netlink messages from the not-allowed domain. > +# > +$result = system "runcon -t test_nlmsg_noxperm_t -- $basedir/nlmsg 2>&1"; > +ok($result); > + > +exit; > -- > 2.40.1 >
On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > Add tests for netlink xperms. Test program is based on an earlier test > > program for netlink_send checking by Paul Moore. Exercising these > > tests depends on the corresponding kernel patch, userspace patches, > > and updating the base policy to define the new nlmsg permissions > > and to enable the new netlink_xperm policy capability. > > > > For testing purposes, you can update the base policy by manually > > modifying your base module and tweaking /usr/share/selinux/devel > > (latter only required due to writing the test policy as a .te file > > rather than as .cil in order to use the test macros) as follows: > > sudo semodule -c -E base > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > sudo semodule -i base.cil > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > sudo semodule -i netlink_xperm.cil > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > When finished testing, you can semodule -r base netlink_xperm to > > undo the two module changes and restore your all_perms.spt file > > from the saved .orig file. > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > for existing domains on your system and prevent new ssh sessions from > > being created. Recommend only inserting the netlink_xperm.cil module > > just prior to running the testsuite and removing immediately thereafter. > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > Now that the kernel and userspace patches have been accepted, can we > get this testsuite patch merged please? The test will only be enabled > when the underlying policy defines the new nlmsg permission and > enables the new netlink_xperm policy capability, so it won't break > anything in the interim. We will need to separately submit a patch for > refpolicy and/or Fedora policy to add these. Any objections to merging these tests now that the corresponding kernel support is merged? They will only run if the underlying base policy defines the new nlmsg permissions and enables the new netlink_xperm policy capability so nothing should break in the interim.
On Tue, Oct 8, 2024 at 9:02 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > > > > > > Add tests for netlink xperms. Test program is based on an earlier test > > > program for netlink_send checking by Paul Moore. Exercising these > > > tests depends on the corresponding kernel patch, userspace patches, > > > and updating the base policy to define the new nlmsg permissions > > > and to enable the new netlink_xperm policy capability. > > > > > > For testing purposes, you can update the base policy by manually > > > modifying your base module and tweaking /usr/share/selinux/devel > > > (latter only required due to writing the test policy as a .te file > > > rather than as .cil in order to use the test macros) as follows: > > > sudo semodule -c -E base > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > > sudo semodule -i base.cil > > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > > sudo semodule -i netlink_xperm.cil > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > > > When finished testing, you can semodule -r base netlink_xperm to > > > undo the two module changes and restore your all_perms.spt file > > > from the saved .orig file. > > > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > > for existing domains on your system and prevent new ssh sessions from > > > being created. Recommend only inserting the netlink_xperm.cil module > > > just prior to running the testsuite and removing immediately thereafter. > > > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > > > Now that the kernel and userspace patches have been accepted, can we > > get this testsuite patch merged please? The test will only be enabled > > when the underlying policy defines the new nlmsg permission and > > enables the new netlink_xperm policy capability, so it won't break > > anything in the interim. We will need to separately submit a patch for > > refpolicy and/or Fedora policy to add these. > > Any objections to merging these tests now that the corresponding > kernel support is merged? Not from me, although since the kernel support was merged less than 24 hours ago I might give Ondrej another day or two just in case he was waiting on that. If we still haven't heard from Ondrej towards the end of the week I think it's fair game to merge, I would have thought if he had any concerns he would have voiced them by now. > They will only run if the underlying base policy defines the new nlmsg > permissions and enables the new netlink_xperm policy capability so > nothing should break in the interim.
On Tue, Oct 8, 2024 at 3:41 PM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Oct 8, 2024 at 9:02 AM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley > > <stephen.smalley.work@gmail.com> wrote: > > > > > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > > > <stephen.smalley.work@gmail.com> wrote: > > > > > > > > Add tests for netlink xperms. Test program is based on an earlier test > > > > program for netlink_send checking by Paul Moore. Exercising these > > > > tests depends on the corresponding kernel patch, userspace patches, > > > > and updating the base policy to define the new nlmsg permissions > > > > and to enable the new netlink_xperm policy capability. > > > > > > > > For testing purposes, you can update the base policy by manually > > > > modifying your base module and tweaking /usr/share/selinux/devel > > > > (latter only required due to writing the test policy as a .te file > > > > rather than as .cil in order to use the test macros) as follows: > > > > sudo semodule -c -E base > > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > > > sudo semodule -i base.cil > > > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > > > sudo semodule -i netlink_xperm.cil > > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > > > > > When finished testing, you can semodule -r base netlink_xperm to > > > > undo the two module changes and restore your all_perms.spt file > > > > from the saved .orig file. > > > > > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > > > for existing domains on your system and prevent new ssh sessions from > > > > being created. Recommend only inserting the netlink_xperm.cil module > > > > just prior to running the testsuite and removing immediately thereafter. > > > > > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > > > > > Now that the kernel and userspace patches have been accepted, can we > > > get this testsuite patch merged please? The test will only be enabled > > > when the underlying policy defines the new nlmsg permission and > > > enables the new netlink_xperm policy capability, so it won't break > > > anything in the interim. We will need to separately submit a patch for > > > refpolicy and/or Fedora policy to add these. > > > > Any objections to merging these tests now that the corresponding > > kernel support is merged? > > Not from me, although since the kernel support was merged less than 24 > hours ago I might give Ondrej another day or two just in case he was > waiting on that. If we still haven't heard from Ondrej towards the > end of the week I think it's fair game to merge, I would have thought > if he had any concerns he would have voiced them by now. It is now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/023b79b8319e5fe222fb5af892c579593e1cbc50
diff --git a/policy/Makefile b/policy/Makefile index f18e15d..32d7ede 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -158,6 +158,11 @@ TARGETS += test_userfaultfd.te endif endif +# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability +ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true) +TARGETS += test_nlmsg.te +endif + ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS)) endif diff --git a/policy/test_nlmsg.te b/policy/test_nlmsg.te new file mode 100644 index 0000000..9e1e2a4 --- /dev/null +++ b/policy/test_nlmsg.te @@ -0,0 +1,34 @@ +######################################## +# +# Policy for testing the nlmsg extended permissions. + +define(`RTM_GETLINK', `18') +define(`RTM_SETLINK', `19') +define(`RTM_GETADDR', `22') + +attribute nlmsgtestdomain; + +# Domain that is allowed the nlmsg extended permissions. +type test_nlmsg_xperm_t; +typeattribute test_nlmsg_xperm_t nlmsgtestdomain; +testsuite_domain_type(test_nlmsg_xperm_t) +allow test_nlmsg_xperm_t self:netlink_route_socket create_socket_perms; +# Also allow the legacy nlmsg_read/write permissions to ensure no false positives. +allow test_nlmsg_xperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write }; +allowxperm test_nlmsg_xperm_t self:netlink_route_socket nlmsg { RTM_GETLINK RTM_SETLINK RTM_GETADDR }; + +# Domain that is not allowed the nlmsg extended permissions. +type test_nlmsg_noxperm_t; +typeattribute test_nlmsg_noxperm_t nlmsgtestdomain; +testsuite_domain_type(test_nlmsg_noxperm_t) +allow test_nlmsg_noxperm_t self:netlink_route_socket create_socket_perms; +# Also allow the legacy nlmsg_read/write permissions to ensure no false positives. +allow test_nlmsg_noxperm_t self:netlink_route_socket { nlmsg nlmsg_read nlmsg_write }; +allowxperm test_nlmsg_noxperm_t self:netlink_route_socket nlmsg ~{ RTM_GETLINK RTM_SETLINK RTM_GETADDR }; + +# +# Common rules for all nlmsg test domains. +# + +# Trigger kernel module auto-loading of the protocol implementations. +kernel_request_load_module(nlmsgtestdomain) diff --git a/tests/Makefile b/tests/Makefile index db4cb38..35bb358 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -153,6 +153,11 @@ ifneq ($(shell ./kvercmp $$(uname -r) 6.5),-1) SUBDIRS += inet_socket/mptcp endif +# nlmsg test dependencies: policy >= 30, nlmsg permission, netlink_xperm capability +ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && [ -f /sys/fs/selinux/class/netlink_route_socket/perms/nlmsg ] && grep -q 1 $(SELINUXFS)/policy_capabilities/netlink_xperm && echo true),true) +SUBDIRS += nlmsg +endif + ifeq ($(DISTRO),RHEL4) SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap nnp_nosuid overlay unix_socket, $(SUBDIRS)) endif diff --git a/tests/nlmsg/.gitignore b/tests/nlmsg/.gitignore new file mode 100644 index 0000000..d4bea66 --- /dev/null +++ b/tests/nlmsg/.gitignore @@ -0,0 +1 @@ +nlmsg diff --git a/tests/nlmsg/Makefile b/tests/nlmsg/Makefile new file mode 100644 index 0000000..1edab98 --- /dev/null +++ b/tests/nlmsg/Makefile @@ -0,0 +1,5 @@ +TARGETS=nlmsg + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff --git a/tests/nlmsg/nlmsg.c b/tests/nlmsg/nlmsg.c new file mode 100644 index 0000000..a976b95 --- /dev/null +++ b/tests/nlmsg/nlmsg.c @@ -0,0 +1,50 @@ +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include <asm/types.h> +#include <sys/socket.h> +#include <linux/netlink.h> +#include <linux/rtnetlink.h> + +int main(int argc, char *argv[]) +{ + int i, rc; + int fd; + unsigned char data[512]; + struct nlmsghdr *nh[3]; + struct sockaddr_nl sa; + struct iovec iov; + struct msghdr msg; + + memset(&sa, 0, sizeof(sa)); + sa.nl_family = AF_NETLINK; + + memset(data, 0, sizeof(data)); + iov.iov_base = data; + iov.iov_len = 3 * NLMSG_SPACE(0); + + for (i = 0; i < 3; i++) { + nh[i] = (struct nlmsghdr *)(data + (i * NLMSG_SPACE(0))); + nh[i]->nlmsg_len = NLMSG_HDRLEN; + } + nh[0]->nlmsg_type = RTM_GETLINK; // nlmsg_read + nh[1]->nlmsg_type = RTM_SETLINK; // nlmsg_write + nh[2]->nlmsg_type = RTM_GETADDR; // nlmsg_read + + memset(&msg, 0, sizeof(msg)); + msg.msg_name = &sa; + msg.msg_namelen = sizeof(sa); + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + + fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); + rc = sendmsg(fd, &msg, 0); + + if (rc < 0) { + perror("sendmsg"); + exit(-1); + } + exit(0); +} + diff --git a/tests/nlmsg/test b/tests/nlmsg/test new file mode 100755 index 0000000..18bb794 --- /dev/null +++ b/tests/nlmsg/test @@ -0,0 +1,28 @@ +#!/usr/bin/perl +# +# This test exercises the netlink extended perms support +# + +use Test; + +BEGIN { + $test_count = 2; + plan tests => $test_count; +} + +$basedir = $0; +$basedir =~ s|(.*)/[^/]*|$1|; + +# +# Attempt to send the netlink messages from the allowed domain. +# +$result = system "runcon -t test_nlmsg_xperm_t -- $basedir/nlmsg 2>&1"; +ok( $result, 0 ); + +# +# Attempt to send the netlink messages from the not-allowed domain. +# +$result = system "runcon -t test_nlmsg_noxperm_t -- $basedir/nlmsg 2>&1"; +ok($result); + +exit;
Add tests for netlink xperms. Test program is based on an earlier test program for netlink_send checking by Paul Moore. Exercising these tests depends on the corresponding kernel patch, userspace patches, and updating the base policy to define the new nlmsg permissions and to enable the new netlink_xperm policy capability. For testing purposes, you can update the base policy by manually modifying your base module and tweaking /usr/share/selinux/devel (latter only required due to writing the test policy as a .te file rather than as .cil in order to use the test macros) as follows: sudo semodule -c -E base sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil sudo semodule -i base.cil echo "(policycap netlink_xperm)" > netlink_xperm.cil sudo semodule -i netlink_xperm.cil sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ /usr/share/selinux/devel/include/support/all_perms.spt When finished testing, you can semodule -r base netlink_xperm to undo the two module changes and restore your all_perms.spt file from the saved .orig file. NB The above may lead to unexpected denials of the new nlmsg permission for existing domains on your system and prevent new ssh sessions from being created. Recommend only inserting the netlink_xperm.cil module just prior to running the testsuite and removing immediately thereafter. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- policy/Makefile | 5 +++++ policy/test_nlmsg.te | 34 ++++++++++++++++++++++++++++ tests/Makefile | 5 +++++ tests/nlmsg/.gitignore | 1 + tests/nlmsg/Makefile | 5 +++++ tests/nlmsg/nlmsg.c | 50 ++++++++++++++++++++++++++++++++++++++++++ tests/nlmsg/test | 28 +++++++++++++++++++++++ 7 files changed, 128 insertions(+) create mode 100644 policy/test_nlmsg.te create mode 100644 tests/nlmsg/.gitignore create mode 100644 tests/nlmsg/Makefile create mode 100644 tests/nlmsg/nlmsg.c create mode 100755 tests/nlmsg/test